Password generator bookmarklet

11 Apr 2014 • Since the Heartbleed bug has potentially exposed HTTPS request content at many Web sites, it's a good idea to change your passwords. I'm taking this opportunity to update this bookmarklet by making two changes: Since it is never sent anywhere, and this site doesn't use HTTPS, your master password has not been exposed; however, since the basic algorithm this page uses has not changed, passwords generated with the same master password will start with the same 8 characters, so it's better if you pick a new one.

The previous version of this page is available here.

I hate passwords. I mean, I don't mind making up and memorizing the really important ones but what about all those e-commerce and community sites that want me to create accounts? I used to end up using the same password at all of them and then I felt stupid knowing that one SQL Server exploit or disgruntled admin could cost me my whole identity.

So, I wrote a bookmarklet to make up passwords for me. It asks for my master password, which is all I have to remember, and uses it to make a unique password for each site. It even types the password into any password fields on the current page for me, whether I'm registering for a new account or logging in on a subsequent visit.

Here's the bookmarklet: Generate password. You can drag it to your browser's bookmark list or button bar to keep it handy. Or just click it right now to test it on the form below.

How does it work? It gets the domain name from the page's URL and mixes it together with your personal master password using a little cryptographic magic we call SHA-1. It will always get the same result if given that domain name and master password, but will never get that result if either changes. (Well, once in a few billion times it might.)

Oh, and the SHA-1 Javascript code is © Paul Johnston 1999-2002.

Here's a sample form to test the bookmarklet on:

Here's a plain text field that won't be affected:
Here's a password field:
Here's a text field named "password":

Here's a version of the bookmarklet that has a hard-coded MASTER_PASSWORD (which you'd replace with your own), so it fills in the passwords on the current page as soon as it's clicked or selected. Of course, anyone with access to your workstation can use it, and your master password will be stored in the clear in your bookmarks list. Still, mighty handy.

Other versions

It can be difficult to save a bookmarklet on a mobile device. If you click here the bookmarklet will be appended to the current page URL, which you can then bookmark and edit to remove everything up to the "#".

Here's a page for an older version of the bookmarklet that generated passwords with only ten characters that ended in "1a" not "@1a".

Here's a page for an older version of the bookmarklet that didn't have ".ly" or ".me" in its list of domains that allow organizations under the TLD.

Here's a page for an older version of the bookmarklet that used the whole hostname rather than the domain part, which didn't work well for sites that use a separate "login" or "register" hostname.

If you've been using one of those versions and want to use this instead - and you really should! - you'll have to update all the passwords you've already set. I wish there were a way around this but it's the price of simplicity!

And here's an HTML/JavaScript form that will let you generate passwords for things besides the current site.